Skip to content

Commit 65e042d

Browse files
lukpuehlukpueh
committed
Clarify recovery from ffwd on delegated targets
Akin to the recovery from fast-forward attacks on the top-level targets role, if a delegated targets role has been compromised, the previously trusted delegated targets metadata and the previously trusted snapshot metadata must be deleted. This must happen so that the rollback attack check (*), which makes sure that the version number of the new delegated targets is higher (or equal) than that of the old does not prevent updates after an ffwd attack. For the top-level targets metadata ffwd recovery logic is performed based on key removals in the root metadata and thus can happen before downloading the snapshot metadata. For delegated targets, on the other hand, where the keys are defined by delegating targets role(s) and not in the root metadata, ffwd recovery logic can only be performed after the delegating targets have been downloaded. (*) Note that there are two targets role rollback checks. One is based on the snapshot metadata, to fail early, i.e. before a potentially compromised (delegated) targets metadata is downloaded, and the other is based directly on the (delegated) targets metadata, so that an attacker needs to compromise snapshot and (delegated) targets keys, to successfully perform a rollback attack. This commit updates the client workflow according to above observations.
1 parent fa2d263 commit 65e042d

File tree

1 file changed

+32
-21
lines changed

1 file changed

+32
-21
lines changed

tuf-spec.md

Lines changed: 32 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1220,14 +1220,13 @@ non-volatile storage as FILENAME.EXT.
12201220
metadata file, discard it, abort the update cycle, and report the potential
12211221
rollback attack.
12221222

1223-
* **3.3.2**. The version number of the targets metadata file, and all
1224-
delegated targets metadata files (if any), in the trusted snapshot metadata
1225-
file, if any, MUST be less than or equal to its version number in the new
1226-
snapshot metadata file. Furthermore, any targets metadata filename that was
1227-
listed in the trusted snapshot metadata file, if any, MUST continue to be
1228-
listed in the new snapshot metadata file. If any of these conditions are
1229-
not met, discard the new snapshot metadadata file, abort the update cycle,
1230-
and report the failure.
1223+
* **3.3.2**. The version number of the top-level targets metadata file, in
1224+
the trusted snapshot metadata file, if any, MUST be less than or equal to
1225+
its version number in the new snapshot metadata file. Furthermore, any
1226+
targets metadata filename that was listed in the trusted snapshot metadata
1227+
file, if any, MUST continue to be listed in the new snapshot metadata file.
1228+
If any of these conditions are not met, discard the new snapshot metadadata
1229+
file, abort the update cycle, and report the failure.
12311230

12321231
* **3.4**. **Check for a freeze attack.** The latest known time should be
12331232
lower than the expiration timestamp in the new snapshot metadata file. If
@@ -1287,7 +1286,18 @@ non-volatile storage as FILENAME.EXT.
12871286
* **4.5.2.1**. Let DELEGATE denote the current target role TARGETS is
12881287
delegating to.
12891288

1290-
* **4.5.2.2**. **Download the DELEGATE targets metadata file**, up to either
1289+
* **4.5.2.2**. **Fast-forward attack recovery.** If a threshold of
1290+
delegated targets keys for the current delegation are removed from the
1291+
TARGETS metadata, delete the trusted DELEGATE metadata, if any, and the
1292+
previously trusted snapshot metadata.
1293+
1294+
* **4.5.2.3**. **Check for a rollback attack via snapshot.** The version number of the
1295+
DELEGATE metadata in the previous trusted snapshot metadata, if any, MUST
1296+
be less than or equal to its version number in the new trusted snapshot
1297+
metadata. If this is not the case, abort the update cycle, and report the
1298+
potential rollback attack.
1299+
1300+
* **4.5.2.4**. **Download the DELEGATE targets metadata file**, up to either
12911301
the number of bytes specified in the snapshot metadata file, or some Z
12921302
number of bytes. The value for Z is set by the authors of the application
12931303
using TUF. For example, Z may be tens of kilobytes. IF DELEGATE cannot be
@@ -1300,39 +1310,40 @@ non-volatile storage as FILENAME.EXT.
13001310
in the snapshot metadata file. In either case, the client MUST write the
13011311
file to non-volatile storage as FILENAME.EXT.
13021312

1303-
* **4.5.2.3**. **Check against snapshot metadata.** The hashes (if any), and
1313+
* **4.5.2.5**. **Check against snapshot metadata.** The hashes (if any), and
13041314
version number of the new DELEGATE metadata file MUST match the trusted
1305-
snapshot metadata. This is done, in part, to prevent a mix-and-match
1315+
snapshot metadata, if any. This is done, in part, to prevent a mix-and-match
13061316
attack by man-in-the-middle attackers. If the new DELEGATE metadata file
13071317
does not match, abort the update cycle, and report the failure.
13081318

1309-
* **4.5.2.4**. **Check for an arbitrary software attack.** The new DELEGATE
1319+
* **4.5.2.6**. **Check for an arbitrary software attack.** The new DELEGATE
13101320
metadata file MUST have been signed by a threshold of keys specified in the
13111321
TARGETS metadata file. If the new DELEGATE metadata file is not signed
13121322
as required, abort the update cycle, and report the failure.
13131323

1314-
* **4.5.2.5**. **Check for a rollback attack.** The version number of the
1315-
trusted DELEGATE metadata file, if any, MUST be less than or equal to the
1316-
version number of the new DELEGATE metadata file. If the new DELEGATE
1317-
metadata file is older than the trusted DELEGATE metadata file, discard
1318-
it, abort the update cycle, and report the potential rollback attack.
1324+
* **4.5.2.7**. **Check for a rollback attack on the DELEGATE metadata.**
1325+
The version number of the trusted DELEGATE metadata file, if any, MUST be
1326+
less than or equal to the version number of the new DELEGATE metadata
1327+
file. If the new DELEGATE metadata file is older than the trusted
1328+
DELEGATE metadata file abort the update cycle, and report the potential
1329+
rollback attack.
13191330

1320-
* **4.5.2.6**. **Check for a freeze attack.** The latest known time
1331+
* **4.5.2.8**. **Check for a freeze attack.** The latest known time
13211332
should be lower than the expiration timestamp in the new DELEGATE
13221333
metadata file. If so, the new DELEGATE file becomes the trusted DELEGATE
13231334
file. If the new DELEGATE metadata file is expired, abort the update
13241335
cycle, and report the potential freeze attack.
13251336

1326-
* **4.5.2.7**. If the current delegation is a multi-role delegation,
1337+
* **4.5.2.9**. If the current delegation is a multi-role delegation,
13271338
recursively visit each role, and check that each has signed exactly the
13281339
same non-custom metadata (i.e., length and hashes) about the target (or
13291340
the lack of any such metadata). Otherwise, abort the update cycle, and
13301341
report the failure.
13311342

1332-
* **4.5.2.8**. If the current delegation is a terminating delegation,
1343+
* **4.5.2.10**. If the current delegation is a terminating delegation,
13331344
then jump to step 5.
13341345

1335-
* **4.5.2.9**. Otherwise, if the current delegation is a non-terminating
1346+
* **4.5.2.11**. Otherwise, if the current delegation is a non-terminating
13361347
delegation, continue processing the next delegation, if any, by repeating
13371348
step 4.5 with DELEGATE as the current TARGET role. Stop the search, and
13381349
jump to step 5 as soon as a delegation returns a result.

0 commit comments

Comments
 (0)